The hack and on-chain trail

According to blockchain sleuth, ZachXBT, the attacker first consolidated the stolen tokens into a primary wallet before moving large sums through Tornado Cash.

Key movements include:

• 1,140 BNB ($1.04 m) sent into Tornado Cash on BSC.
• 346.8 ETH  ($1.05 m) bridged to Ethereum and deposited into Tornado Cash there.
• A separate address still holding about 346 ETH ($1.046 m) remains idle, suggesting the attacker may be preparing further moves.

By routing funds through Tornado Cash, the exploiter aimed to obscure the money trail and complicate tracing, a common laundering tactic in past exploits.

JUST IN:

GANA Payment exploited for over $3.1 million on BNB Smart Chain, ZachXBT reports.

Attacker consolidated the stolen funds at a BSC address: 0x2e8…e5c38.

1,140 BNB (~US$ 1.04 M) was swapped and then deposited into Tornado Cash on BSC.

Another 346 ETH (~US$ 1.046 M)… pic.twitter.com/lYQQMy3sPz

— Crypto Aman (@cryptoamanclub) November 20, 2025

GANA Payment: Project context

GANA Payment is a Web3 payments platform built on BSC, launched to offer remittance and merchant-payment services in emerging markets. The project promised lower transaction fees, quick settlement, and programmable DeFi-based financial tools.

Following the exploit, the team confirmed a breach in its “interaction contract” and stated that outside security firms have been engaged to investigate the attack. A recovery framework and project reboot are reportedly underway.

Why this exploit matters

GANA Payment exploit matters because:

• Large loss: A $3.1 million exploit is significant for a newly launched platform, raising concerns about code audits and security preparedness.
• Use of mixers: The laundering through Tornado Cash highlights continued reliance on anonymizing tools by bad actors, reigniting debates around privacy-mixers and regulatory oversight.
• Risk to emerging-market DeFi projects: Platforms combining Web2-style payments with on-chain services may face elevated security threats due to their hybrid architecture.
• Idle attacker funds: The unmoved 346 ETH indicates the situation is still developing, with the attacker possibly waiting or planning further obfuscation.

Tornado Cash’s legal status after years of scrutiny

Tornado Cash remains one of the most controversial tools in crypto after years of legal battles in the U.S. The mixer was originally sanctioned in 2022 for allegedly facilitating large-scale laundering, including funds linked to North Korea. In 2024, a federal appeals court ruled that sanctioning its immutable smart-contract code exceeded Treasury’s authority, and in early 2025 the U.S. formally removed Tornado Cash from the sanctions list.

Despite the delisting, legal pressure has not disappeared. Tornado Cash developer Roman Storm was convicted in 2025 on a charge related to operating an unlicensed money-transmitting business, though jurors failed to agree on broader money-laundering allegations. 

The mixed outcome leaves Tornado Cash in a gray zone: the protocol is no longer sanctioned, but its developers still face prosecution, and regulators continue debating how privacy tools fit into the existing financial-crime framework.